SAP User Authorizations.
Hi, Sachin here.
This is regarding authorizations.
I have to remove some authorization as per below mentioned.
1. Su01, su02, su03, su10, sm59, sm01, scc4, rz20 these comes under basis part
2. Se80, se39, se38, se15, se11, se12, se01 and these comes under ABAP Workbench part
I have gone through authorization roles, but these all T.Codes are not present as in object Transaction code check at transaction start directly.
These might be in other packages.
In which packages and with which object I can remove these authorizations?
I have gone through packages like Basis Administration, Basis Development Environment Basis Central Function
There is one object ABAP Workbench in package Basis Development Environment
If I will make this object inactive, shall above mentioned ABAP Workbench relate authorizations get removed??
Pleae guide.
Wram Regards
Sachin.
Message was edited by:
scil scil
Message was edited by:
scil scil
hello Sachin,
You need to check the roles which are giving these transactions to the users.
Execute report RSUSR070 in SE38 or simply execute the transaction S_BCE_68001425.
Now under tabstrip Selection according to authorization values go to input field Authorization object1-->Object 1. Here input value S_TCODE and press the retun/enter key.
Now more inputs fileds will come up. You can give t-codes here and the output will display the roles in which these transactions are present.
Then accordingly you can ensure that these roles are not assigned to the users or may be change the roles to suit your requirements. Though changing standard SAP roles is not a good practice ; you can actually create a new role as a copy of exisitng standard role under your customer namespace and subsequently make modifications to that role.
Please award points if answer was helpful.
Regards.
Ruchit.
Similar Messages
-
What User authorization objects needed for connecting to SAP from xMII?
We eneter a SAP user and password for connecting to SAP from xMII to retrieve the metadata of the incoming IDocs.
When I specify a user with SAP_ALL user profiles, the IDocs are received properly in xMII. If I specify a user with privileges to run only certain transactions, IDocs are not received in xMII.
What user authorization objects are needed for this user to connect to SAP from xMII?
Thanks,
SaraSam,
I turned on the SAP System trace for this user and figured out the following auth. objects are required for receiving IDocs in xMII:
C_TCLA_BKA
S_RFC
S_CTS_ADMI
B_ALE_MAST
S_IDOCDEFT
The following auth. object is required for making JCO call to SAP from xMII:
C_AFRU_AWK
Thanks,
Sara -
SAP* user doesnt have full authorizations.
Hi All,
my Admin user for EP7 portal is locked.
Tried to activate the sap* user to chang the password of my admin user,
but strangely the sap* user is not able to do so too.
When i click on User Admin on the sap* user I get a mesage saying
"you have not enough rights to perform this contact your systemadministrator"
I fail to undrstand how can sap* user not have rights to admin...when its purpose is to
act as emrgency admin user.
Now I am helpless as this is the only way to reset admin password....
What should I do...
please help......Did you restarted the j2ee java.
Also check the below blog
SAP* - The Saviour
Raghu -
Hi All SAP experts,
My company has implemented 2 Systems SAP Landscape with one development and one production server which are running on R/3 Enterprise 4.7 (Kernel Release 6.20) with Microsoft SQL 2000 as database server.
I have the following questions regarding new sap user creation by using user copy function.
1.When I request to create new SAP User by using user copy function ,should I just create the user acct in DEV and transport it to PROD System? If yes, how could I do that?
2.When I request to create new SAP User by using user copy function, can I just create it on PROD System only? If yes, what is the impact?
3.When using User copy function to create new user acct, should I select all parts (like adress ,defaults,reference user, user groups.....) of the existing user to be cloned to new user acct?
Thanks.
LeonHi Leon,
Answer to your questions in their respective order:
1. You can create user in DEV and then make remote client copy to PRD system using scc9 t-code. Here you can choose user accounts and authorizations for the copy. ( Rem: Data will be overwritten in target system when copied).
You can also use client export/import(scc8/scc7)
But, When you do the client import from the exported files using STMS,you will have to select only one of the transport requests and then STMS automatically selects the other requests for you.
Then it will show you the different transport requests that you have created during your export, the client copy profile and the target system and client. The customizing and application data is deleted in the target client before copying for all profiles except SAP_USER. This is technically unavoidable (and hence the data will be overwritten).
So if you can afford overwritting of user data in target client , you can go with the above procedure.
2. Using user copy in su01, you can copy one user to another user only in that client and is confined to that system only. So yes, If you want 2 or more users to have same authorizations, profiles ,etc etc.. you can choose this in PROD system.
3. It depends.. If you want user to be in same group, then you can choose user groups. If you want them to have same authorizations , you can choose roles and profiles... If you want them to have same company address and others,... you can select address.. and so on.
Also below link provides required steps in case you choose local/ remote client copy:
http://www.sap-basis-abap.com/bc/client-copy-by-using-scc8-and-scc7.htm
Hope this helps...
Thanks,
Ajith
Edited by: Ajith Kamath on Oct 20, 2009 8:28 AM -
Purchase Order Release Strategy and SAP user RelationShip
Hi,
We are currently developing a work flow to streamline PO release in our company . What we want to achieve is that
E.g
A purchase order 100001 is creates and a release strategy s1 is applied to it which is a 3 level relase statrgy having release code c1,c2,c3 which are uniquely assigned to user/employee of the company and no 2 users'employee can have the same release code.
Now when c1 release the purchase order a work item should be created to for the user/employee who is assigned the c2 code.
Currently this workflow is not implemented in our company adn the relase stategy is handeled by authorization oobjects and when ever a po user relase the po he calls up the other persona next in relase strategy to notify him about the work he has to do .
I am need to know can we develop a relationship b/w the release code and sap user or employee
Regards
Kamran ellahiHi,
We are currently developing a work flow to streamline PO release in our company . What we want to achieve is that
E.g
A purchase order 100001 is creates and a release strategy s1 is applied to it which is a 3 level relase statrgy having release code c1,c2,c3 which are uniquely assigned to user/employee of the company and no 2 users'employee can have the same release code.
Now when c1 release the purchase order a work item should be created to for the user/employee who is assigned the c2 code.
Currently this workflow is not implemented in our company adn the relase stategy is handeled by authorization oobjects and when ever a po user relase the po he calls up the other persona next in relase strategy to notify him about the work he has to do .
I am need to know can we develop a relationship b/w the release code and sap user or employee
Regards
Kamran ellahi -
Learning SAP BW authorizations structure and hierarchy - concepts
Hello Experts,
I need a good document for learning Authorizations structuring and hierarchy in SAP BIW 3.5 . I am giving authorizations in BIW but do not hv conceptual nd fundamentalistic knowledge of SAP BW authorizations and its structure . Plz send a good document for learning BW authorizations .............................it may be an excerpt frm FU&FU guide. My Email Id is [email protected]
A short but complete SAP BW fundamentalistic , concepts and structure & hierarchy covering document is appreciated.
Requested to revert at earliest as this is very urgent.
Points guaranteed.
Regards,
SomyaHi maheshwari ,
Use these steps for authorizations,
1.before going to authorizations u have to decide on which Infoobject u have to apply authorizations.
EX: SD--- Sales Org, MM -> palnt ,purorg,FI> companycode.
first u ahve to decide which area & on which Infoobject.
2.goto that Infoobject --> change there check the checkbox Authorization relavent object cahechbox
2.after that U Have to goto RSSM there u have to create authorization object
Ex: Zxxx ( XXX is Infoobject Name ).
3. In the same transaction Screen u have Infocube selection radio Button check that then select on which cube(cube means under that cube all Quaries) u have to make authorization for that perticuler Infoobject.
4.next goto PFCG create role & save it
5.goto Authorization tab in that selct edit authorization it will give automatiaclly authorization Templates in that u have to select only S_RS_RREPU & press Enter.
6. Select manual pushbutton it will ask authorisation object enter ur authorization object what u have created ( zxxx) .
7.click generate +enter
8. goto user tab Enter userId+enter + click on usercomparision+ enter
9.save the role.
FOR HIRARCHIES:
1. goto RSSM There u have one rediobutton called authorization hierarchy ( this radio button is very below the RSSM screen)
2. there u have to select Hierachy on which u have to apply authorization.
Thanks,
kiran -
Oracle 10g Rel 2 - Proxy connection authentication with SAP User ID
Dear Experts,
We are currently doing some research and planning to upgrade SAP R/3 4.6C to ECC 6 and upgrading Oracle from version 9.2 to 10.2
In upgrading to Oracle vers. 10g Rel 2, we got advised that Oracle has apparently introduced a new proxy connection authentication, in which the SAP user ID is given limited privileges (create session only) ??
If you have any information on this or known any impact about this issue, please advise us.
Thanks in advance.Thanks for your help, Kaushal.
I also found the SAP Note 834917 (Oracle Database 10g: New database role SAPCONN and it seems to be on a right direction to cope with that problem.
- For Oracle releases earlier than 10gR2, the CONNECT role includes extensive database authorizations and the more restrictive CONNECT as of 10gR2.
- To overcome this restriction, SAP need to find a way to compensate this, so does it come SAPCONN.
- SAPCONN is the new SAP-specific database role, which is defined to support the normal SAP applications operations (CONNECT, RESOURCE and SELECT_CATALOG_ROLE).
Once again, thanks. -
Can some one tell me the SAP USERS ROLE TABLE
I Will assign point to any input.
Balance Roll forward
Change Vendor Line Items
Change Parked Vendor Document
Change/ Reverse Vendor Invoice
Check Processing
Clear Accounts Payable Items
Display A/P Balance & Items
Display Checks
Display Vendor Documents
Display A/P Master Data
Display Parked Vendor Documents
Account Payable Interest Calculation
A/P Invoice Entry
A/P Accounting Key Reports
Manual Payment
Payments Using Bill of Exchange Display
Payment Run Parameters
Create and Process Payment Run Proposal
Accounts payable period closing
Post Parked Vendor Document
Maintenance of Accounts Payable Master Data
Process Withholding Taxgo to t code PFCG
Search for roles with SAP_FI_AP*
You could always create your own role.
In the Menu tab add the t codes you have specified.
You will then need to add the authorization objects in the authorization tabs.
For the t codes you have I guess it would take an hour max. -
Need a Query/User Authorization Report
Hello All,
I am looking for tables, function modules, programs etc that will aid in building a report that will show every query and which users have access to them.
This program I am wanting to build will serve as a periodic "reality check" on our authorizations.
I am not sure about the tables/programs etc involved in interpreting the user's roles/profiles.
My current thinking is that there may be a function module or program that is being by the BEx tools that comes up with the list of queries that the user has access to when they first select the query they want to run. Getting a hold of that would be very beneficial.
Any ideas?Hi,
Refer the below links
www.das.state.ne.us/nis/security/docs/authorized_agent_manual.pdf
script.wareseeker.com/PHP/uas-user-authorization-system.zip/18033
eda.ogden.disa.mil/users_guide/trainMaterial/GeneralAdminMaint.ppt
www.umaryland.edu/eumb/Documents/user_aff.pdf
www.mariewagener.de/node/98
https://wiki.sdn.sap.com/wiki/display/BI/AuthorizationinSAPNWBI?focusedCommentId=78053701
www.bi-expertonline.com/downloads/Smith.doc
https://aisweb.wustl.edu/hr/benefits.nsf/pages/files/$file/hrmssecurityauth07.pdf
www.sapdev.co.uk/sap-bw/queryexit.htm
naresh -
CRM Analytics - User Authorization Not Suficient
Hi Guys,
We have implemented the CRM analytics report, however when I access the menu Sales Pro in CRM and try to open the report Closed Opportunities, I get the error : User Authorization not sufficient.
If I open the error I get the message :
Diagnosis
The user doesnot exist in the BI client or has insufficient authorizations
Procedure
Contact system administrator to verify the user is setup properly in both CRM and BI client
Procedure for System Administration
Verify that the user exist in BI client with the same user id, if not create it and assign proper authorizations as per the configuration guide.
When I run the query or the webtemplate in BW I don't have authorization problems, but I can't run from CRM.
Any suggestion about how to fix it?
Thanks in advance,
FernandoHi Fernando,
The report which you have implemented is doing a RFC call to BI system where some other system program is getting called which have authorization logic check for the RFC user ( or the person who is running the report). here report is terminating with error. I have face the similar issue.
generally such reports we use to schedule as a background job with batch user which have SAP ALL access but I feel in your case user who runs the report have not sufficent authorization in BI system and also you are not running report as an background job.
There aretwo tricks to findout the missing authorization which I also have used.
First option : close all the session except one in CRM and than run the report as soon as the error comes open transaction code SU53 to know the missing authorization - may be you can fail here as the authorization check fail in BI.
Second option definitely will work. Whenerror is coming double click on the mmessage to know the message detail(class and number) than again run the report in debugging mode (/H- type in address bar to activate debugging) than set breakpoint in the message and press f8( may be system will not set the break point immediately than you need to debug till the RFC calls BI system) . system will take you to the exact authorization code check where the error is coming. there you can find out the missing authorization object which is not included in the user assigned role. than can ask access team to add in the user role.
I hope this will solve your issue. Please revert with your finding.
Thanks,
Prem -
Creating second InfoView entry point for SAP users in XI 3.1
Hi All,
I have BOE XI 3.1 up and running with the Business Objects Integration kit SAP Solutions kit I would like to create a second infoview entry point for SAP users on the same physical box (single server) as regular InfoView.
I am trying to mock this up and have detailed the following steps below. I suspect I am missing a few steps (for example, where do I specify the entry port?). I am sure step 2 is wrong, as I the desktoplaunch no longer exists in Xi 3.1
1. Copy the InfoView.war file to a new directory ( Program Files/Business Objects/ Business Objects Enterprise 12.0/java/applications/sap). I imagine I would need to rename the war file (say SAPInfoview.war)?
2. Create a xml file with the following logic (the part in bold I consider to be wrong...):
<Context docBase="Program Files\Business Objects\Business Objects Enterprise 12.0\java\applications\sap\SAPInfoview.war" path="/
businessobjects/enterprise115/desktoplaunch"
crossContext="false" debug="0" reloadable="false"
trusted="false"/>
3. Save the xml file (what name? does it matter) in Program Files\Business Objects\Tomcat55\conf\Catalina\localhost
4. Restart Tomcat
5. Change the web.xml to make SAP security the default. But this should not be the regular infoview web.xml. I'm not sure where this would reside.
Thanks,
Steve
Edited by: Steve Bickerton on Jan 15, 2009 9:19 PMHi Ingo,
You've been working with Duncan and Sartaj on this. The client has two set of users: non HR which has no BW or R/3 authorization restrictions, and HR, which has authorization restrictions.
They have deployed SSO using AD for the non HR users. They also want to leverage InfoView rather than the SAP portal. For the HR users, we therefore need to capture the SAP id and password at login time to enforce security at the BW and R/3 levels. We could use the existing Infoview entry point (SSO will fail and they will be prompted for a SAP login). I do remember that we offered a second InfoView entry point for SAP users in XIR2. I thought this may be more elegant.
Thanks,
Steve -
Creating variable with the user Authorization in BEx
Hi gurus,
i want to create a variable with user authorization in BEx. Can any one please tell me the steps to create the variable for authorization.
Thanks in advance
sandyHi,
Please take a look and refer the section Use of Variable filled Authorizations(User Exit)
Advanced Features of SAP BW Reporting Authorizations
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06
Hope this helps.
Cheers,
Gimmo -
Hi,
I have developed a webdynpro application which enables users to change their personel details like changing work contact no , emails , cell no etc. the users can access the iview through ESS.
I am facing some authorization issues as the changes can be done only if a user have authorization for TC: PA30 , But we have non sap users who use ESS and try to change their details. Is there any other way we can get around this problem ??
Regards,
KumarHi Ramm,
I followed as suggested
country infotype subtype use case
08 0040 0011 A1
08 0105 0001 A1
08 0105 0005 A1
08 0105 0010 A1
08 0105 0020 A1
Its coming up with an error saying that
There is an inconsistency in the usecase maintained for this record.
Message no. HRXSS_PER003
System Response
There is an inconsistency in the usecase maintained for this record.
Procedure
In order to change the usecase goto the view "V_T7XSSPERSUBTYP" and change the corresponding usecase of the infotype/subtype.
Thanks,
Kumar -
All the users authorization report
Dear Experts,
I want run the all the users authorization in SAP. I want prepare authorization matrix from all the users.
Please help me on this. Thanks for advance.
Regards
S.PrasadHi,
post your query in abap forum.
the following tables are useful to create such report
ROLES BY TCODE ASSIGNMENT
TSTCT
AGR_1251
ROLES BY USERS ASSIGNMENT
AGR_USERS
USER_ADDR
ROLES BY ORGANIZATIONAL LEVEL ELEMENT ASSIGNMENT
AGR_1252
USVART
regards,
kaushal -
How to give user authorizations for a Program or an ICF service
Hi,
1)How to give user authorizations for a report program or an ICF service.
2)How to create an user authorization object.
Regards,
Vinay.check this online help for more info on authorization object creation
http://help.sap.com/saphelp_nw04/helpdata/en/52/67168c439b11d1896f0000e8322d00/frameset.htm
for question no1.
ICF - you either maintain the auth obj relevant at the icf service level itself or you can code call authority object and block access
for abap programs:
you maintain auth object at the tcode or code the call authority object within the program
Regards
Raja
Maybe you are looking for
-
Brand New rMBP 13" Wifi Issues
I have a new Macbook Pro Retina 13" Late-2013 model that is having Wifi disconnect issues. It seems to happen when the computer goes to sleep and wakes up. It refuses to reconnect to any of my preferred networks when it wakes up. I was on the phone w
-
Space key gives double spaces or no spaces
The space key on my keyboard is getting flaky: sometimes it works fine, sometimes it puts in two spaces, sometimes I have to hit it a few times to get a space. Any suggested cures other than a new keyboard?
-
Why QuickTime on iPad is slow? How to fix it?
Why QuickTime on iPad is slow? How to fix it?
-
Varying table columns, best practices
I've been wondering about this for quite sometime now. JTable is very complex, but it has a lot of funcationality that hints at reusable models. The separation of TableModel and ColumnModel seems to hint at being able to reuse a TableModel that store
-
BUG: BizTalk Service Portal SSO crash upon re-login
Tried to re-login under another account on BizTalk Services Portal (biztalksvc12.portal.biztalk.windows.net): Server Error in '/' Application. IDX10301: The 'nonce' found in the jwt token did not match the expected nonce. expected: '63559234923030043